Herb Lin: What are the challenges of cyber security from an international policy standpoint?

A question that often comes up and thinking about cybersecurity is: What’s the threat? Who do you have to worry.


A question that often comes up and thinking about cybersecurity is: What’s the threat? Who do you have to worry about? What kinds of threats you have to worry about? And the answer is, you have to worry about a very broad spectrum, the spectrum of threat actors is very large At the very low end, they are the what we call the “script kiddies,” the “ankle biters.” The guys who don’t know very much, but we just want to hack a little bit. At the highest of … the very highest level, are really the nation-states. Big nation-states—the U.S., Russia, China, Iran, Israel … probably the UK … probably France … probably germany … a couple of others … where they have very, very very, very, very good hacking teams and very sophisticated capabilities. And not only do they have technical skills, but they have intelligence agencies backing them up. So, the United States hacking operations are backed by, not just the NSA for example, but by the CIA, as well, who operates its own network of covert agents. And the same is true for China. And the same is true for Russia. And so on. And against these guys it doesn’t matter what you do. They will eventually get to you. They’ll find some way to get no matter how good your cyber security is, they will eventually get to you. This is when you have the crown jewels and they want them. They’ll get them. People who talk about cyber security almost always talk about it in terms of being defensive. And, I am perfectly happy to acknowledge that that is an important component of the definition of cyber security. There’s no there’s no question about that. It may even be the most important dimension of it, but there’s another dimension of it, as well. There’s the question of how you can use offensive operations in cyberspace how you can hack the bad guys. The bad guys don’t have to be other hackers. The bad guys can be any kind of bad guys. They can be guys trying to use a nuclear weapon against you, too. Those would be bad guys, as well, and i want to be able to use cyberattacks against them to shut them down and so on and to destroy their computers. That would be a good thing from my perspective and, in fact, it would be a good thing from the perspective of most people who would think about what the policy issues are and having the bad guys detonate a nuclear weapon. So, this is it this would be a good thing to be able to do. So, in fact, one of the things that i study here at Stanford is this question of: under what circumstances and how and whether it’s ever appropriate … when is it appropriate … what would make it appropriate? How you have to do it? How would you hack the bad guys in some way? I point out that this is an interesting … this raises all kinds of policy concerns. When you defend yourself. There’s very little controversy about that from political standpoint. Everybody thinks it has to be done, but if you start thinking about using offensive weapons in cyberspace, taking the offense in cyber space … when are you allowed to hack somebody else? That’s an interesting question and that’s the focus of my research. I do not say that the answer is: “Never.” There are many people who do. Friends of mine say that, that we should never go on the attack. And in some ways it’s always it’s always a bad thing to do it. And at least their position is clear. I disagree with it, but at least it’s clear. When you talk to me about it you get a much less clear answer, because, since I’m willing to do it sometimes, I have to say under what circumstances am I willing to do it? Well … turns out there is no law internationally … there’s no international law that prohibits the gathering of intelligence. None! But I daresay that the players in the world the the countries in the world that have good intelligence services, of which the U.S. is one, derive a lot of benefit for the spying activities, for the intelligence activities, that they conduct. And they’re probably not going to give it up. But here’s an interesting question, one that we’re starting to face right now. Let’s say another nation hacks an election that changes the results of an election. Nobody dies. Is that an act of war? It violates national sovereignty, yes. But does it does it count … is it armed attack? No arms. No bullets fired. Nothing happened. Nobody died. Nothing was damaged; only bits … or changed or revealed. I’ll be damned if I know the answer to that is. international lawyers are will have a field day with this. Many articles will be written about this in the future. I may even write one. Is cybersecurity hopeless or is there is there room for hope? Well, the answer is both. It’s hopeless if you set as your goal the elimination of cyber attacks and all cyber threats. That’s hopeless. That’s never gonna happen. If you think you’re going to do something — and this is something that I have a problem with in the policy process, because policymakers think, you know, we gave you all this money last year to deal with it. Why haven’t you fixed the problem? Well, it’s a problem that you have to fix over and over and over again. Why? Because when i put a better lock … you’ll get a better key … you’ll get a better locksmith to pick the lock. And if i put up something else, you’ll do something to counter that. You want to solve it once and for all? Well maybe what you can do is you can cut yourself from all communications, but of course that kind of environment isn’t very useful. In my office, I have a completely unhackable computer. It’s a rock with the USB cable coming into it. Nobody’s gonna hack that rock. I mean it’s completely unhackable. It’s useless, but it’s it’s unhackable. The problem is if you want to be useful, then any useful computing artifact is hackable … eventually, in some way. So, that part is the hopeless part. The hopeful part is that we’re getting better and better at least paying attention to this stuff.

Leave a Reply

Your email address will not be published. Required fields are marked *